Cyrus IMAPd 2.2.13p1 & 2.3.15 Released
Duncan Gibb
duncan.gibb at siriusit.co.uk
Wed Sep 9 12:35:55 EDT 2009
Thomas Jarosch wrote:
KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
KM> These releases should both be considered production quality. These
KM> releases are being made at this time to fix the potential buffer
KM> overflow vulnerability described in CERT VU#336053:
KM> http://www.kb.cert.org/vuls/id/336053
TJ> Regarding the buffer overflow: The cert website currently outputs a
TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
TJ> via a malicious email or does a user need to upload a malicious
TJ> sieve script?
Hmmm... Still down...
The user has to upload a malicious sieve script. The DSA reads
It was discovered that the SIEVE component of cyrus-imapd, a
highly scalable enterprise mail system, is vulnerable to a
buffer overflow when processing SIEVE scripts. Due to incorrect
use of the sizeof() operator an attacker is able to pass a
negative length to snprintf() calls resulting in large positive
values due to integer conversion. This causes a buffer overflow
which can be used to elevate privileges to the cyrus system
user. An attacker who is able to install SIEVE scripts executed
by the server is therefore able to read and modify arbitrary
email messages on the system.
Bron's fix is at
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67;r2=1.68
Cheers
Duncan
--
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
More information about the Cyrus-devel
mailing list